[Logcheck-devel] Bug#775090: logcheck-database: Should filter shh preauth disconnect ok messages
Enrico Zini
enrico at enricozini.org
Wed Feb 10 10:58:28 UTC 2016
On Sun, Jan 11, 2015 at 08:40:59AM +0100, Adrian Heine wrote:
> I get tons of messages for sshd like these:
> Received disconnect from [IP]: 11: ok [preauth]
> `Bye Bye [preauth]` is already filtered out.
I also get them with an empty string instead of ok or "Bye Bye":
… sshd[25563]: Received disconnect from 125.88.177.93: 11: [preauth]
… sshd[25565]: Received disconnect from 125.88.177.93: 11: [preauth]
… sshd[25569]: Received disconnect from 125.88.177.93: 11: [preauth]
… sshd[25594]: Received disconnect from 125.88.177.93: 11: [preauth]
… sshd[25596]: Received disconnect from 125.88.177.93: 11: [preauth]
… sshd[25598]: Received disconnect from 125.88.177.93: 11: [preauth]
So I tweaked your rule this way:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: 11: (Bye Bye|ok|) \[preauth\]$
Enrico
--
GPG key: 4096R/E7AD5568 2009-05-08 Enrico Zini <enrico at enricozini.org>
More information about the Logcheck-devel
mailing list